`dirmngr` file previously from `gnupg2` in Mariner 1.0 missing from 2.0

[dagood]

Found this while working on:

• https://github.com/microsoft/go/issues/462 (for the Microsoft build of Go on MAR/MCR)

The official community-maintained golang images use gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796' as part of the build: https://github.com/docker-library/golang/blob/a212f660f30646927c1a10ecdc7b579df2d28155/1.18/bullseye/Dockerfile#L78-L81

This doesn't work in the cblmariner.azurecr.io/base/core:2.0 image (sha256:a662db5808dae71209d3597ec622569a9707a32cb56395aed1965a378f8c92dd) because dirmngr isn't available. It also isn't provided in any of the distro packages:

$ docker run -it --rm cblmariner.azurecr.io/base/core:2.0 bash -c 'set -x
  gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796"
  tdnf provides /usr/bin/dirmngr'

+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796'
gpg: error running '/usr/bin/dirmngr': probably not installed
gpg: failed to start dirmngr '/usr/bin/dirmngr': Configuration error
gpg: can't connect to the dirmngr: Configuration error
gpg: keyserver receive failed: No dirmngr
+ tdnf provides /usr/bin/dirmngr
Loaded plugin: tdnfrepogpgcheck
Refreshing metadata for: 'CBL-Mariner Official Base 2.0 x86_64'
Refreshing metadata for: 'CBL-Mariner Official Microsoft 2.0 x86_64'
Refreshing metadata for: 'CBL-Mariner Official Extras 2.0 x86_64'
No data availableextras                   4521   100%

In 1.0 cblmariner.azurecr.io/base/core:1.0 (sha256:e874e70eb3497f536128923c47bd174bc8851af665eb2ee46a9ac586be0983aa), it works:

$ docker run -it --rm cblmariner.azurecr.io/base/core:1.0 bash -c 'set -x
  gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796"
  rpm -qf /usr/bin/dirmngr'

+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796'
gpg: key 7721F63BD38B4796: public key "Google Inc. (Linux Packages Signing Authority) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
+ rpm -qf /usr/bin/dirmngr
gnupg2-2.2.20-3.cm1.x86_64

The purpose of this gpg line in the Dockerfile is to trust Google's signatures to verify the binaries from https://go.dev/dl.

We don't depend on this for https://github.com/microsoft/go-images because we're using our own signature and don't set it up with a keyserver. So, I think we can remove the dependency on dirmngr by modifying the Dockerfiles without any impact to the image we produce. However, diverging from upstream like this may make maintenance more difficult for us in the future.

/cc @jaredpar

[elsaco]

@dagood why was gnupg2-2.3.3-3.cm2 package built without dirmngr support, just like the gnupg2-2.2.20-3.cm1 ?

[dagood]

why was gnupg2-2.3.3-3.cm2 package built without dirmngr support, just like the gnupg2-2.2.20-3.cm1 ?

Aha, I didn't realize this is what happened. I don't have any answers, I'm not a CBL-Mariner maintainer. I'm asking the same question.

[oliviacrain]

Ah, sorry, this seems to be my bad- I must have missed this regression when upgrading the package last November. Will take a look when I have some spare time this week.

[oliviacrain]

This issue is a bit deeper than I initially thought- dirmngr disappeared because gnutls was removed from the toolchain. Adding gnutls back to the toolchain is very undesirable, given our bias against toolchain bloat these days. I'm leaning towards adding dirmngr as an out-of-toolchain spec that is separate but version-entangled with gnupg2